Table of Contents




Title: BugBear Warning - A Dangerous Computer Worm
by Roy Linker


A new version of the Tanatos (aka Bugbear) Internet worm has been detected

I just checked my email today and so far, I have received 10 copies of the highly dangerous and new release of the BugBear computer worm, also being referred to as the Tanatos worm.

" Kaspersky Labs, an international data security software developer, reports the detection of a new version of the "Tanatos" Internet worm -

Tanatos.b (aka Bugbear.b). The new version of this malicious program has an array of dangerous functions. Tanatos.b can infect the executable files of many programs as well as cause the leakage of confidential information. Presently, numerous incidences of infection at the hands ofTanatos.b have been registered. The Tanatos.b Internet worm spreads via e-mail as a file attachment. Thee-mail message itself can have various subjects, message texts, and file attachment names. Infection occurs when the file attachment harboring the malicious code is activated, once this happens the spreading routineis begun. There are several ways to launch the hazardous file via the FRAME breech in the Internet Explorer security system (which starts the worm upon message opening), manually when a user opens the infected file attachment or through local area networks.

When installing, Tanatos.b copies itself under random file names into the Windows registry auto-run keys, creates files in the Windows system directory as well as copies itself into the Windows directory and tem files directory.

Next the worm starts its spreading routine using the built-in SMTP engine. To send itself out via e-mail, Tanatos.b looks for e-mail addresses by scanning the available drives for files with the following extensions
*.ODS, *.INBOX, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX.

Tanatos.b has several dangerous functions. It infects the executable files in the Windows operation system. In the list of objects infected by Tanatos.b there are executable files from many other popular programs including Outlook Express, Internet Explorer, WinZip, the KaZaA file sharing system, ICQ and MSN Messenger.

Additionally, the new version of Tanatos has the ability to function as a backdoor program, allowing the virus's creator to control infected machines and gain access to confidential information. To accomplish this, the worm opens port 1080, through which it can do the following

* Transfer hard drive data
* Copy, open and delete files
* Inform about active applications and to close them
* Load files from remote computers and send keyboard log reports to the virus author
* Setup an http server
The first version of the Tanatos Internet worm was detected in September 2002. At that time Tanatos caused a huge number of infections the world over. The worm combined the functionality of an Internet worm with that of a Trojan program, making it an exceptionally dangerous program capable of leaking out confidential information.

Kaspersky Lab Corporate Communications

According to reports published in recent days in the computer media, BugBear has surpassed the infamous Klez in becoming the fastest spreading computer worm or virus in history.

Kaspersky Labs and Panda, two major providers of free online virus scans, each now report that nearly 20% of computers infected with malicious code now have the BugBear worm. The Helsinki based antivirus and computer security firm F-Secure rates the BugBear worm as the worst current computer security outbreak. Symantec, publisher of the popular Norton AntiVirus rates the threat as “severe”. McAfee considers the risk as “high”.

This new worm, or piece of code, is written in the common and popular C++ language, and combines the worst of the Badtrans virus, the Klez worm, and a backdoor Trojan into one extremely dangerous program. Capable of destroying both antivirus software and firewall protection on an infected computer, this nefarious program can also spread rapidly through a network to all computers connected, and through email utilizing its own integral mail program.

Just like the Klez, which until the recent introduction of the BugBear, had been the most rapidly spread virus or worm, BugBear targets the highly publicized security holes in Microsoft’s web browser Internet Explorer versions 5, 5.5, and 6, as well as Microsoft’s popular email programs Outlook and Outlook Express. Despite the fact that Microsoft released a heavily promoted patch to close these holes about a year ago, and is included in “Windows Update” integral in all versions of Windows since Windows 95 (click on START - WINDOWS UPDATE while online, and download the customized and free “Critical Update” compiled by Microsoft), millions of Windows users have never installed the patch. Now, in exchange for their complacency, these users are at extreme risk of having their personal information stolen by hackers. There is a real chance of having their identity stolen (referred to in law enforcement as “Identity Theft”), private or confidential information accessed, credit card and banking information compromised, and any files on the hard drive available to a hacker to read, modify, or delete at will.

The BugBear, just like the Klez, Yaha, and similar variants, can be activated by simply opening an email containing the malevolent code, or allowing the infected email to appear in the preview pane of any of the unpatched versions of Outlook or Outlook Express. With email programs other than the Outlook series, opening the attachment containing the worm will infect the users’ computer. Once infected, antivirus and firewall utilities will be crippled, with no indication of that fact being noticeable by the user. BugBear will then attempt to replicate itself both by repeatedly emailing itself to addresses in the user’s address book (the idea of beginning an email address with “!0000” to prevent this is a HOAX), using a variety of subjects, email content, and attachments, as well as sending itself out over a network to all computers so connected. Using the popular human engineering technique of sending the infected emails to addresses in the victim’s address book, the malignant messages will appear to be from a person known to the recipient. Multiple references to the worm are written to the registry and “.INI” files, ensuring that BugBear is loaded each time the computer is booted. There are no clearly visible indications to the user that a computer is infected. Once installed on the victim computer, a utility to capture the user’s keystrokes is activated, enabling a hacker to see user names, passwords, credit card numbers, and any other information or data entered. A “backdoor Trojan” is activated allowing access to the infected machine, the downloading of the keystrokes by the hacker, and unrestricted access to all files and documents on the computer. Since BugBear itself is transparent, and not apparently destructive, the user will likely never know his computer is infected, and outsiders can access his computer remotely. Antivirus software will still appear to be loaded and updated, and firewalls will appear to function, but in reality they will be useless. Frequently updated antivirus software offers excellent protection, but only if updated with the BugBear information prior to the infection. Practicing “safe hex” and deleting suspicious emails and attachments before they can appear in a preview pane can greatly reduce the chance of infection.

Since BugBear is written in the common C++ language, it is likely that some wicked programmers may modify the code, and create variants to get around the protections offered by recently updated antivirus software, just as what happened with many variants of the Klez worm.II

Last Update: 7/20/2003


Copyright © 1999 - 2012 PC Lifeline